Trisis Malware Targets Industrial Control Systems

According to Cyberscoop the Trisis (aka Triton) malware was mistakenly uploaded online late last year, an accident that could allow hackers to compromise the safety systems of power plants. Cyberscoop describes the malware as “an elite, government authored cyberweapon”.

Cyberscroop points to research by cybersecurity companies Dragos Inc. and FireEye plus “three sources familiar with the matter”, suggesting that Schneider Electric, a multinational energy technology company, posted a file containing malware to VirusTotal, a public malware repository. The file, which contains “the backbone of dangerous malware framework known as Trisis”, was titled “Library.zip” and was obtained by the energy company while collecting evidence on a data breach at a facility in the Middle East. Researchers believe that the malware has previously been used to shut down a Saudi Arabia-based oil and gas facility. Fortunately, a coding error stopped the malware from working as intended and a potential catastrophe didn’t occur.

A Schneider Electric spokesperson told CyberScoop,”In line with industry protocol, a Schneider Electric employee posted a file to VirusTotal in the interest of enabling its security vendor members to analyse and respond to the new malware. Shortly afterwards, Schneider Electric received a request from a third party to take the file down, and promptly complied with that request”.

While the file was only posted online for less than 24 hours, Cyberscoop said many copies of the files were made during that period and it was picked up and re-posted to several platforms, including GitHub. Cyberscoop said the file contained “the remaining puzzle piece needed for someone to reconstruct Trisis from publicly available artifacts”.

The Trisis malware is aimed at controlling the industrial command systems (ICS) of an energy plant or utility grid with Schneider Electric equipment to perform actions that could overwhelm it. Further, Trisis is difficult to detect as it controls outward communication while destroying the ICS from within, potentially leading security teams to believe that there are no issues.

While sharing of files among researchers and practitioners is a necessary part of furthering their work and protecting against new attacks, sharing can have damaging consequences, particularly when mistakes such as this occur.

However, some in the industry are highlighting the fact that Trisis is not a highly scalable attack as it can’t be easily replicated without significant knowledge of a potential target and further in-depth work.

Pascal Geenens, Radware EMEA security evangelist, toldSC Media UK, “Given the specific attack vector and need for considerable knowledge and investment to adapt the code to attack the specifics of the safety systems lower the risk and sensitivity of the information and the public knowledge for security researchers and engineers in ICS does outweigh the risk in my opinion”. He added, “The malware targets Schneider Electric’s Triconex safety instrumented system (SIS) specifically. Each SIS is unique and to attack other SIS systems would require knowledge of those processes.”

However, Dragos (whose researchers previously worked for the NSA), say that discovery of the malware was particularly troubling to them as it was the first known piece of computer software aimed at killing humans. “The only purpose of these safety systems is to protect human life,” Robert M. Lee, co-founder of Dragos toldSanta Fe New Mexican. “The only reason to sabotage them is to kill people.”